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Abstract 

The minimum spanning tree (MST) construction is a classical problem in Distributed 
Computing for creating a globally minimized structure distributedly. Self-stabilization is 
versatile technique for forward recovery that permits to handle any kind of transient faults 
in a unified manner. The loop-free property provides interesting safety assurance in dynamic 
networks where edge-cost changes during operation of the protocol. 

We present a new self-stabilizing MST protocol that improves on previous known ap- 
proaches in several ways. First, it makes fewer system hypotheses as the size of the network 
(or an upper bound on the size) need not be known to the participants. Second, it is 
loop-free in the sense that it guarantees that a spanning tree structure is always preserved 
while edge costs change dynamically and the protocol adjusts to a new MST. Finally, time 
complexity matches the best known results, while space complexity results show that this 
protocol is the most efficient to date. 
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1 Introduction 



Since its introduction in a centralized context [24\ 121] . the minimum spanning tree (or MST) 
construction problem gained a benchmark status in distributed computing thanks to the influ- 
ential seminal work of [12]. Given an edge- weighted graph G = (V,E,w), where w denotes the 
edge-weight function, the MST problem consists in computing a tree T spanning V, such that 
T has minimum weight among all spanning trees of G. 

One of the most versatile technique to ensure forward recovery of distributed systems is 
that of self- stabilization (SJ [6]. A distributed algorithm is self-stabilizing if after faults and 
attacks hit the system and place it in some arbitrary global state, the system recovers from 
this catastrophic situation without external {e.g. human) intervention in finite time. A recent 
trend in self-stabilizing research is to complement the self-stabilizing abilities of a distributed 
algorithm with some additional safety properties that are guaranteed when the permanent and 
intermittent failures that hit the system satisfy some conditions. In addition to being self- 
stabilizing, a protocol could thus also tolerate a limited number of topology changes [S] , crash 
faults [HI H] , nap faults P [22] , Byzantine faults pm [2] , and sustained edge cost changes j3[ H9] . 

This last property is specially relevant when building spanning trees in dynamic networks, 
since the cost of a particular edge is likely to evolve through time. If a MST protocol is only 
self-stabilizing, it may adjust to the new costs in such a way that a previously constructed MST 
evolves into a disconnected or a looping structure (of course, in the abscence of new edge cost 
changes, the self-stabilization property guarantees that eventually a new MST is constructed). 
Of course, if edge costs change unexpectedly and continuously, a MST can not be maintained 
at all times. Now, a packet routing algorithm is loop free ]12>\ [TT] if at any point in time the 
routing tables are free of loops, despite possible modification of the edge- weights in the graph 
(i.e., for any two nodes u and v, the actual routing tables determines a simple path from u to v, 
at any time). The loop-free property [3(12] in self-stabilization guarantees that, a spanning tree 
being constructed (not necessarily a MST), then the self-stabilizing convergence to a "minimal" 
(for some metric) spanning tree maintains a spanning tree at all times (obviously, this spanning 
tree is not "minimal" at all times). The consequence of this safety property in addition to that 
of self-stabiization is that the spanning tree structure can still be used (e.g. for routing) while 
the protocol is adjusting, and makes it suitable for networks that undergo such very frequent 
dynamic changes. 

Related works Gupta and Srimani [T7] have presented the first self-stabilizing algorithm for 
the MST problem. It applies on graphs whose nodes have unique identifiers, whose edges have 
integer edge weights, and a weight can appear at most once in the whole network. To construct 
the (unique) MST, every node performs the same algorithm. The MST construction is based 
on the computation of all the shortest paths (for a certain cost function) between all the pairs 
of nodes. While executing the algorithm, every node stores the cost of all paths from it to all 
the other nodes. To implement this algorithm, the authors assume that every node knows the 
number n of nodes in the network, and that the identifiers of the nodes are in {1, . . . , n}. Every 
node u stores the weight of the edge e UtV placed in the MST for each node d/ii. Therefore 
the algorithm requires ^(X^u ^ogw(e UtV )) bits of memory at node u. Since all the weights are 
distinct integers, the memory requirement at each node is O(nlogn) bits. 

Higham and Lyan [18] have proposed another self-stabilizing algorithm for the MST problem. 
As |17j , their work applies to undirected connected graphs with unique integer edge weights and 
unique node identifiers, where every node has an upper bound on the number of nodes in the 
system. The algorithm performs roughly as follows: every edge aims at deciding whether it 
eventually belongs to the MST or not. For this purpose, every non tree-edge e floods the 
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Table 1: Distributed Self-Stabilizing algorithms for the MST and loop-free SP problems 



network to find a potential cycle, and when e receives its own message back along a cycle, 
it uses information collected by this message (i.e., the maximum edge weight of the traversed 
cycle) to decide whether e could potentially be in the MST or not. If the edge e has not received 
its message back after the time-out interval, it decides to become tree edge. The core memory of 
each node holds only O(logn) bits, but the information exchanged between neighboring nodes 
is of size O(nlogn) bits, thus only slightly improving that of [17j . 

To our knowledge, none of the self-stabilizing MST construction protocols is loop-free. Since 
the aforementioned two protocols also make use of the knowledge of the global number of nodes 
in the system, and assume that no two edge costs can be equal, these extra hypoteses make 
them suitable for static networks only. 

Relatively few works investigate merging self-stabilization and loop free routing, with the 
notable exception of [31 [19]. While [3] still requires that a upper bound on the network diameter 
is known to every participant, no such assumption is made in [p3]. Also, both protocols use 
only a reasonable amount of memory (O(logn) bits per node). However, the metrics that are 
considered in [3l [19] are derivative of the shortest path (a.k.a. SP) metric, that is considered a 
much easier task in the distributed setting than that of the MST, since the associated metric is 
locally optimizable |16j . allowing essentially locally greedy approaches to perform well. By con- 
trast, some sort of global optimization is needed for MST, which often drives higher complexity 
costs and thus less flexibility in dynamic networks. 

Our contributions We describe a new self-stabilizing algorithm for the MST problem. Con- 
trary to previous self-stabilizing MST protocols, our algorithm does not make any assumption 
about the network size (including upper bounds) or the unicity of the edge weights. Moreover, 
our solution improves on the memory space usage since each participant needs only 0(log?i) 
bits, and node identifiers are not needed. 

In addition to improving over system hypotheses and complexity, our algorithm provides ad- 
ditional safety properties to self-stabilization, as it is loop-free. Compared to previous protocols 
that are both self-stabilizing and loop-free, our protocol is the first to consider non-monotonous 
tree metrics. 

The key techniques that are used in our scheme include fast construction of a spanning 
tree, that is continuously improved by means of a pre-order construction over the nodes. The 
cycles that are considered over time are precisely those obtained by adding one edge to the 
evolving spanning tree. Considering solely that type of cycles reduces the memory requirement 
at each node compared to \17\ [T8] because the latter consider all possible paths connecting pairs 
of nodes. Moreover, constructing and using a pre-order on the nodes allows our algorithm to 
proceed in a completely asynchronous manner, and without any information about the size of 
the network, as opposed to [17\ I18j. The main characteristics of our solution are presented in 
Table [H where a boldface denotes the most useful (or efficient) feature for a particular criterium. 
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2 Model and notations 



We consider an undirected weighted connected network G = (V, E, w) where V is the set of 
nodes, E is the set of edges and w : E — > M + is a positive cost function. Nodes represent 
processors and edges represent bidirectional communication links. Additionally, we consider 
that G = (V, E, w) is a network in which the weight of the communication links may change 
value. We consider anonymous networks (i.e., the processor have no IDs), with one distinguished 
node, called the roofl Throughout the paper, the root is denoted r. We denote by deg(v) the 
number of i>'s neighbors in G. The deg(t;) edges incident to any node v are labeled from 1 to 
deg(t>), so that a processor can distinguish the different edges incident to a node. 

The processors asynchronously execute their programs consisting of a set of variables and a 
finite set of rules. The variables are part of the shared register which is used to communicate 
with the neighbors. A processor can read and write its own registers and can read the shared 
registers of its neighbors. Each processor executes a program consisting of a sequence of guarded 
rules. Each rule contains a guard (boolean expression over the variables of a node and its 
neighborhood) and an action (update of the node variables only). Any rule whose guard is true 
is said to be enabled. A node with one or more enabled rules is said to be privileged and may 
make a move executing the action corresponding to the chosen enabled rule. 

A local state of a node is the value of the local variables of the node and the state of its 
program counter. A configuration of the system G = (V, E) is the cross product of the local 
states of all nodes in the system. The transition from a configuration to the next one is produced 
by the execution of an action at a node. A computation of the system is defined as a weakly 
fair, maximal sequence of configurations, e = (cq,c\, . . . Cj, . . .), where each configuration Cj+i 
follows from by the execution of a single action of at least one node. During an execution 
step, one or more processors execute an action and a processor may take at most one action. 
Weak fairness of the sequence means that if any action in G is continuously enabled along the 
sequence, it is eventually chosen for execution. Maximality means that the sequence is either 
infinite, or it is finite and no action of G is enabled in the final global state. 

In the sequel we consider the system can start in any configuration. That is, the local state 
of a node can be corrupted. Note that we don't make any assumption on the bound of corrupted 
nodes. In the worst case all the nodes in the system may start in a corrupted configuration. In 
order to tackle these faults we use self-stabilization techniques. 

Definition 1 (self-stabilization) Let Ljs, be a non-empty legitimacy predicated of an algo- 
rithm A with respect to a specification predicate Spec such that every configuration satisfying 
£_4 satisfies Spec. Algorithm A is self-stabilizing with respect to Spec iff the following two 
conditions hold: 

(i) Every computation of A starting from a configuration satisfying Lj^ preserves Cj^ ( closurej. 

( ii) Every computation of A starting from an arbitrary configuration contains a configuration 
that satisfies Ljs, f convergence 

We define bellow a loop-free configuration of a system as a configuration which contains 
paths with no cycle between any couple of nodes in the system. 

1 Observe that the two self-stabilizing MST algorithms mentioned in the Previous Work section assume that 
the nodes have distinct IDs with no distinguished nodes. Nevertheless, if the nodes have distinct IDs then it is 
possible to elect one node as a leader in a self-stabilizing manner. Conversely, if there exists one distinguished node 
in an anonymous network, then it is possible to assign distinct IDs to the nodes in a self-stabilizing manner [7J. 
Note that it is not possible to compute deterministically a MST in a fully anonymous network (i.e., without any 
distinguished node), as proved in [17] . 

2 A legitimacy predicate is defined over the configurations of a system and is an indicator of its correct behavior. 
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Definition 2 (Loop- Free Configuration) Let Cycle(u, v) be the following predicate defined 
for two nodes u, v on configuration C , with P(u, v) a path from u to v described by C : 

Cycle(u, v) = 3P(u, v), P(v, u) : P(u, v) n P(v, it) = 0. 

A loop-free configuration is a configuration of the system which satisifes Vtt, v : Cycle(u, v) = 
false. 

We use the definition of a loop-free configuration to define a loop-free stabilizing system. 

Definition 3 (Loop-Free Stabilization) A distributed system is called loop-free stabilizing 
if and only if it is self-stabilizing and there exists a non-empty set of configurations such that 
the following conditions hold: (i) Every execution starting from a loop-free configuration reaches 
a loop- free configuration (closure), (ii) Every execution starting from an arbitrary configuration 
contains a loop-free configuration (convergence). 

In the sequel we study the loop-free self-stabilizing LoopFreeMSTproblem. The legitimacy 
predicate C_a for the LoopFreeMSTproblem is the conjunction of the following two predicates: 
(i) a tree T spanning the network is constructed, (ii) T is a minimum spanning tree of G (i.e., 
VT',W(T) < W(T'), with T' be a spanning tree of G and W{S) = Y, e es w ( e ) be the cost of 
the subgraph 5). 

3 The Algorithm LoopFreeMST 

In this section, we describe our self-stabilizing algorithm for the MST problem. We call this 
algorithm LoopFreeMST. In the next section, we shall prove the correctness of this algorithm, 
and demonstrate that it satisfies all the desired properties listed in Section [H including the 
loop-freedomness property. Let us begin by an informal description of LoopFreeMST aiming at 
underlining its main features. 

3.1 High level description 

LoopFreeMST is based on the red rule. That is, for constructing a MST, the algorithm succes- 
sively deletes the edges of maximum weight within every cycle. For this purpose, a spanning 
tree is maintained, together with a pre-order labeling of its nodes. Given the current spanning 
tree T maintained by our algorithm, every edge e of the graph that is not in the spanning 
tree creates an unique cycle in the graph when added to T. This cycle is called fundamental 
cycle, and is denoted by C e . (Formally, this cycle depends on T; Nevertheless no confusion 
should arise from omitting T in the notation of C e ). If w(e) is not the maximum weight of all 
the edges in C e , then, according to the red rule, our algorithm swaps e with the edge / of C e 
with maximum weight . This swapping procedure is called an improvement. A straightforward 
consequence of the red rule is that if no improvements are possible then the current spanning 
tree is a minimum one. 

Algorithm LoopFreeMST can be decomposed in three procedures: 

• Tree construction 

• Token label circulation 

• Cycle improvement 

The latter procedure (Cycle improvement) is in fact the core of our contribution. Indeed, the 
two first procedures are simple modifications of existing self-stabilizing algorithms, one for build- 
ing a spanning tree, and the other for labelling its nodes. We will show how to compose the 
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original procedure "Cycle improvement" with these two existing procedures. Note that "Cy- 
cle improvement" differs from the previous self-stabilizing implementation of the improvement 
swapping in [TH] by the fact that it does not require any a priori knowledge of the network, and 
it is loop-free. 

LoopFreeMST starts by constructing a spanning tree of the graph, using the self-stabilizing 
loop-free algorithm "Tree construction" described in [20J. The two other procedures are per- 
formed concurrently. A token circulates along the edges of the current spanning tree, in a 
self-stabilizing manner. This token circulation uses algorithms proposed in jU [23] as follows. 
A non-tree-edge can belong to at most one fundamental cycle, but a tree-edge can belong to 
several fundamental cycles. Therefore, to avoid simultaneous possibly conflicting improvements, 
our algorithm considers the cycles in order. For this purpose, the token labels the nodes of the 
current tree in a DFS order (pre-order). This labeling is then used to find the unique path 
between two nodes in the spanning tree in a distributed manner, and enables computing the 
fundamental cycle resulting from adding one edge to the current spanning tree. 



Figure 1: Evolution of the node's state in cycle improvement module. Rule Rd is depicted in 
plain. Rule RE rr is depicted in bold. 

We now sketch the description of the procedure " Cycle improvement" (see Figure H]) . When 
the token arrives at a node u in a state Done, it checks whether u has some incident edges 
not in the current spanning tree T connecting u with some other node v with smaller label. 
If it is the case, then enters state Verify. Let e = {u, v}. Node u then initiates a traversal 
of the fundamental cycle C e for finding the edge / with maximum weight in this cycle. If 
w (f) = w(e) then no improvement is performed. Else an improvement is possible, and u enters 
State Improve. Exchanging e and / in T results in a new tree T' . The key issue here is to 
perform this exchange in a loop-free manner. Indeed, one cannot be sure that two modifications 
of the current tree (i.e., removing / from T, and adding e to T) that are applied at two distant 
nodes will occur simultaneously. And if they do not occur simultaneously, then there will a 
time interval during which the nodes will not be connected by a spanning tree. Our solution 
for preserving loop-freedomless relies on a sequence of successive local and atomic changes, 
involving a single variable. This variable is a pointer to the current parent of a node in the 
current spanning tree. To get the flavor of our method, let us consider the example depicted 
on Figure [5J In this example, our algorithm has to exchange the edge e = {10, 12} of weight 
9, with the edge / = {7,8} of weight 10 (Figure E|a)). Currently, the token is at node 12. 
The improvement is performed in two steps, by a sequence of two local changes. First, node 10 
switches its parent from 8 to 12 (Figure EJb)). Next, node 8 switches its parent from 7 to 10 
(Figure 12(c)). A spanning tree is preserved at any time during the execution of these changes. 

Note that any modification of the spanning tree makes the current labeling globally inaccu- 
rate, i.e., it is not necessarily a pre-order anymore. However, the labeling remains a pre-order 



Done - 




1 rv Verify — *■ Improve RE — ► End 




5 



in the portion of the tree involved in the exchange. For instance, consider again the example 
depicted on Figure EJc). When the token will eventually reach node A, it will label it by some 
label £ > 12. The exchange of e = {10, 12} and / = {7, 8} has not changed the pre-order for the 
fundamental cycle including edge {A, 12}. However, when the token will eventually reach node 
B and label it £' > £, the exchange of e = {10, 12} and / = {7,8} has changed the pre-order 
for the fundamental cycle including edge {B,9}: the parent of node labeled 10 is labeled 12 
whereas it should have a label smaller than 10 in a pre-order. When the pre-order is modified 
by an exchange, the inaccurately labeled node changes its state to Err, and stops the traversal 
of the fundamental cycle. The token is then informed that it can discard this cycle, and carry 
on the traversal of the tree. 




Figure 2: Example of a loop-free improvement of the current spanning tree. The direction of 
the edges indicate the parent relation. Edges in the spanning tree are depicted as plain lines; 
Edges not in the spanning tree are denoted by dotted lines. 

3.2 Detailed level description 

We now enter into the details of Algorithm LoopFreeMST. First, let us state all variables used 
by the algorithm. Later on, we will describe its predicates and its rules. 

Variables For any node v € V(G), we denote by N(v) the set of all neighbors of v in G. 
Algorithm LoopFreeMST maintains the set N(v) at every node v. We use the following notations: 

• parent^: the parent of v in the current spanning tree; 

• label^: the integer label assigned to v; 

• d tI : the distance (in hops) from v to the root in the current spanning tree; 

• state t) : the state of node v, with values in {Done, Verify, Improve, End, Propag, Err}; 

• DefCycle^: the pair of labels of the two extremities of the non tree-edge corresponding to 
the current fundamental cycle. 

• VarCycle^: a pair of variables: the first one is the maximum edge- weight in the current 
fundamental cycle; the second one is a (boolean) variable in {Before, After}; 

• suc„: the successor of v in the current fundamental cycle. 

Consistency rules The first task executed by LoopFreeMST is to check the consistency of 
the variables of each node; See Figure [TJ Done is the standard state of a node when this node 
has not the token, or is not currently visited by the traversal of a fundamental cycle. When the 
variables of a node are detected to be not coherent, the state of the node becomes Err thanks 
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to rule R£ rr . There is one predicate in RE rr for each state, except for state Propag, to check 
whether the variables of the node are consistent (see Figure [3]). The rule Rd allows the node to 
return to the standard state Done. More precisely, rule Rd resets the variables, and stops the 
participation of the node to any improvement. 

R Err : (Bad label) 

If CoherentCycle(i)) A Error(n) A DefCycle[0]„ 7^ label,, A EndPropag(-y) then state,, := Err; 

Rq: (Improvement consistency) 

If -iCoherentCycle(v ) A EndPropag(-y) 

then state,, := Done; DefCycle„ := (label„, done); VarCycle„ := (0, Before); suc„ := 0; 



CoherentCycle(ii) = Coherent_Done(i>) V Coherent_Verify(u) V CoherentJm prove (u) V Coherent_End(i>) V Coherent_Error(u) 
Coherent_Done(i>) = state,, = Done A suc„ = A DefCycle^ = (label,,, done) A VarCycle^ = (0, Before) 
Coherent A/erify(fj) = state,, = Verify A sue = Succ(u) A [(lnit(w) A VarCycle^. = (0, Before)) V Nds_Verify(ii)] 
CoherentJmprove(u^ state,, = Improve A suc„ = Succ(w) A DefCycle^ = DefCyclep aren t A VarCycle^ = VarCyclep arent 
Coherent_End(?;) = state„ = End A DefCycle^ = DefCyclep aren ^ A (NdDel(u) V Ask_EI(n)) 
Coherent_Error(u) = state,, = Err A (suc„ = Succ(u) = V Ask_E(v)) A DefCycle^ = DefCyclep rec j^ 

CoherentTree(u)=(i) = r Ad„ = 0As£„ = N) V(w / r ASafe v Arro„ = d„) Vstatep arent = Improve Vstatep arent = Propag 
Ask_V(-y) = statep red(t)) = Verify 

Ask_l(u)= (statep rec j, , = Improve A VarCycle[l]p ret jj u j = Before) V (statesuc„ = Improve A VarCycle[l]suc„ = After) 
Ask_EI(w) = (3u e N(v), parent^ = i)A state,, = End A DefCycle u = DefCycleJ 
Ask_E(t>) = sue 7^ A statesuc„ = Err A DefCycle L , = DefCycle suc 

Figure 3: Corrections predicates used by LoopFreeMST. 



Tree_Edge(?j, u) = parent^ = u V parent^ = v 
C_Ancestor(u) = parent,^ 7^ sue,, A parent^ 7^ Pred(u) 
lnit(u) = DFS_F(» A DefCycle[0]„ = label,, 

NdsA/erify(u) = [(Ask_V(w) A VarCycle^ = (Max_C(», Way_C(»)) V AskJ(u)] A DefCycle„ = DefCycle Pred , . 
NdDel(w) = statep aren t 7^ Done A statep aren t 7^ Propag A ^lmprove(u) 

Figure 4: Corrections predicates used by the algorithm. 

Tree construction LoopFreeMST starts by constructing a spanning tree of the graph, using 
the self-stabilizing loop- free algorithm "Tree construction" described in |20j. This algorithm 
constructs a BFS, and uses two variables parent and distance. During the execution of our 
algorithm, these two variables are subject to the same rules as in [20J. After each modification 
of the spanning tree, the new distance to the parent is propagated in sub-trees by Rules Rp and 
Rp. 

Rp: (Distance propagation) 

If Coherent_Done(i') A -iAsk_V(w) A (statep aren t = Improve V statep aren t = Propag) A suc„ 7^ parent^ A 
Pred(w) / parent^ Ad„ / dparent„ + 1 
then state,, := Propag; d„ := dp aren t + 1; 
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Rp: (End distance propagation) 

If state,, — Propag A EndPropag(i>) 

then state,, := Done; DefCycle^ := (label„, done); VarCycle^ := (0, Before); suc„ := 0; 

Token circulation and pre-order labeling LoopFreeMST uses the algorithm described in 
[I] to provide each node v with a label label.,,. Each label is unique in the network traversed by 
the token. This labeling is used to find the unique path between two nodes in the spanning tree, 
in a distributed manner. For this purpose, we use the snap-stabilizing algorithm described in 
[23j for the circulation of a token in the spanning tree. We have slightly modified this algorithm 
because LoopFreeMST stops the token circulation at a node during the "Cycle improvement" 
procedure. A node v knows if it has the token by applying predicate lnit(u). Rule Rdfs guides 
the circulation of the token. The token carries on its tree traversal if one of the following three 
conditions is satisfied: (i) there is no improvement which could be initiated by the node which 
holds the token, (ii) an improvement was performed in the current cycle, or (iii) inconsistent 
node labels were detected in the current cycle. The latter is under the control of Predicate 
ContinueDFS(f). 

Rdfs : (Continue DFS token circulation) 

If CoherentCycle(t> ) A Init(-y) A ContinueDFS(t> ) 
then state,, := Done; DefCycle[l]„ = done; 

Cycle improvement rules The procedure "Cycle improvement" is the core of LoopFreeMST. 

Its role is to avoid disconnection of the current spanning tree, while successively improving the 
tree until reaching a MST. The procedure can be decomposed in four tasks: (1) to check 
whether the fundamental cycle of the non-tree edge has an improvement or not, (2) perform 
the improvement if any, (3) update the distances, and (4) resume the token circulation. 

Let us start by describing the first task. A node u in state Done changes its state to Verify 
if its variables are in consistent state, it has a token, and it has identified a candidate (i.e., an 
incident non-tree edge e = {u, v} whose other extremity v has a smaller label than the one of u). 
The latter is under the control of Predicate InitVerify(-y), and the variable VarCycle^ contains the 
label of u and v. If the three conditions are satisfied, then the verification of the fundamental 
cycle C e is initiated from node u, by applying rule Ry- The goal of this verification is twofold: 
first, to verify whether C e exists or not, and, second, to save information about the maximum 
edge weight and the location of the edge of maximum weight in C e . These information are 
stored in the variable Way_C(t>). In order to respect the orientation in the current spanning 
tree, the node u or v that initiates the improvement depends on the localization of the maximum 
weight edge / in C e . More precisely, let r be the least common ancestor of nodes u and v in 
the current tree. If / occurs before r in T in the traversal of C e from u starting by edge 
(u,v), then the improvement starts from u, otherwise the improvement starts from v. To get 
the flavor of our method, let us consider the example depicted on Figure [2j In this example, 
/ occurs after the least common ancestor (node 6). Therefore node 10 atomically swaps its 
parent to respect the orientation. However, if one replaces in the same example the weight of 
edge {11, 6} by 11 instead of 3, then / would occur before r, and thus node 12 would have to 
atomically swaps its parent. The relative places of / and r in the cycle is indicated by Predicate 
Way_C(u) that returns two different values: Before or After. During the improvement of the 
tree, the fundamental cycle is modified. It is crucial to save information about this cycle during 
this modification. In particular, the successor of a node w in a cycle, stored in the variable 
sue™, must be preserved. Its value is computed by Predicate Succ(u) which uses node labels to 
identify the current examined fundamental cycle. Each node is able to compute its predecessor 
in the fundamental cycle by applying Predicate Pred(-u). The state of a node is compared with 
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the ones of its successor and predecessor to detect potential inconsistent values. At the end of 
this task, the node u learns the maximum weight of the cycle C e and can decide whether it 
is possible to make an improvement or not. If not, but there is another non-tree edge e' that 
is candidate for potential replacement, then u verifies C e i. Otherwise the token carries on its 
traversal, and rule Rp is applied. 

Ry. (Verify rule) 

If CoherentCycIe(u)A-iError(«)A(lnitVerify(u)V[-ilnit(«)A(Coherent_Done(«)Vstate^ = Propag)AAsk_V(t>)]) 
then state„ := Verify; 

If DFS_F(u) then DefCycle[l]„ := LabCand(u); 

Else DefCycle^ := DefCyclep rec j, . ; VarCycle^ := (Max_C(i;), Way_C(i>)); sue := Succ(v); 



Succ(ij) = < 



Pred(u) = arg rmn{label u : u £ N(v) A state u 7^ Done A state u 7^ Propag A suc u = v} if u exists, otherwise 

MaxLab(i;,x) = arg max{label s : s £ N(v) A labels < x} 

' VarCycle[0]„ if DefCycle[l]„ = label,, 

parent^ if (label„ > DefCycle[l]„ A state„ = Verify) V (labels < DefCycle[l]„A 

(state t , = Improve V state„ = End)) 
MaxLab(^, DefCycle[l]„) if (labels < DefCycle[l]„ A state,, = Verify) 
Maxl_ab(i>, labels) if (labels > DefCycle[l] L , A (state„ = Improve V state L , = End)) 

Max_C(w) = max{VarCycle[0]p rec j^j,ui(u, Pred(w))} 

After if VarCycle[0]„ / VarCycle[0]p rec |j i)) A labels > labelp re£ j^ 

VarCycleflJp^^j otherwise 

LabCand(u)= minjlabelu : u £ N(v) A labels < labels A-Tree_Edge(n, u) A labels >- DefCycleflJuflif u exists, end otherwise 



Way.C(v) 



a y order on neighbor labels for which 'end' is the biggest element and 'done' is the smallest one. 



Figure 5: Predicates used by the algorithm. 

If C e can yield an improvement, then rule R| is executed. By this rule, a node enters in state 
Improve, and changes its parent to its predecessor if VarCycle[l] t , = Before (respectively to its 
successor if VarCycle[l]„ = After). For this purpose, it uses the variable suc„ and the predicate 
Pred(t;) . 

R|: (Improve rule) 

If CoherentCycle(i))A^Error(i))ACoherent_Verify(«)Almprove(ti)A-iC_Ancestor(u)A[(DFS_F(w)AAsk_V(«))VAskJ(t>)] 
then state^ := Improve; 

If DFS_F(ij) V statep^^ = Improve then VarCycle^ := VarCyclep rec j^j 

If (DFS_F(«) A VarCycle[l]„ = Before) V -.DFS_F(u) then parent^ := Pred(v); 

If statesuc„ = Improve then VarCycle t) := VarCycle suc ; parent^ := sue; 

If w(v,suc v ) > VarCycle[0]„ then sue = Succ(u) 

d v := d parent^ + lj 

At the end of an improvement, it is necessary to inform the node holding the token that 
it has to carry on its traversal. This is the role of rule Re- It is also necessary to inform all 
nodes impacted by the modification that they have to update their distances to the root (see 
Section I 



Re: (End of improvement rule) 

If CoherentCycle(u) A -iError(n) A EndJmprove(u) A EndPropag(u) 
then state,, := End; 
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Candidate(n) = LabCand(t)) 7^ end 

InitVerify(u) = lnit(u) A Candidate(u) A (Coherent_Done(u) V [Coherent_Verify(u) A -ilmprove(?;) A -iC-Ancestor^) A 
Ask_V(u)]) 

ImproveF(i), x) = -iTree_Edge(v, a;)) A max(VarCycle[0]„, VarCycle[0]a;) > w(v,x) 
Improve(ij) = lmproveF(i>, Pred(u)) V lmproveF(i>, suc v ) 
EndJmprove(u) = CoherentJmprove(t;) A (NdDel(u) V Ask_EI(u)) 

ContinueDFS(^) = (lnit(v) A [([Coherent_Done(ii) V (Coherent_Verify(«) A -nlmproveF(fj, Pred(w)) A Ask_V(w))] A 
^Candidate(i;)) V Coherent_End(w) V Error(u)]) V -nDFS_F(» 

Error(i;) = state r 7^ Done A state 7^ Err A (suc„ = Succ(?;) = V Ask_E(w)) 

EndPropag(v) = (Vw £ N(v), parent^ = v A state u = Done A d u = d v + 1) 

Figure 6: Predicates used by the algorithm. 



Module composition All the different modules presented, except the tree construction parts 
of the correction module, need the presence of a spanning tree in G. Thus, we must execute the 
tree construction rules first if an incoherency in the spanning tree is detected. To this end, these 
rules are composed using the level composition defined in [15]. If Predicate CoherentTree(u) is 
not verified then the tree construction rules are executed, otherwise the other modules can be 
executed. The token circulation algorithm and the naming algorithm are composed together 
using the conditional composition described in [3]. Finally, we compose the token circulation 
algorithm and the cycle improvement module with a conditional composition using Predicate 
ContinueDFS(v) defined in the algorithm. This allows to execute the token circulation algorithm 
only if the cycle improvement module does not need the token on a node. Figure [7] shows how 
the different modules are composed together. 





Cycle improvement 






Token circulation C> Labeling 


m 



Tree construction 



= Level composition 

E\ Conditional composition 



Figure 7: Composition of the presented modules. 



4 Concluding remarks 

We presented a new solution to the distributed MST construction that is both self-stabilizing and 
loop-free. It improves on memory usage from O(nlogn) to O(logn), yet doesn't make strong 
system assumptions such as knowledge of network size or unicity of edge weights, making it 
particularly suited to dynamic networks. Two important open questions are raised: 

1. For depth first search tree construction, self-stabilizing solutions that use only constant 
memory space do exist. It is unclear how the obvious constant space lower bound can be 
raised with respect to metrics that minimize a global criterium (such as MST). 

2. Our protocol pionneers the design of self-stabilizing loop-free protocols for non locally 
optimizable tree metrics. We expect the techniques used in this paper to be useful to add 
loop-free property for other metrics that are only globally optimizable, yet designing a 
generic such approach is a difficult task. 
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Appendix 



Correctness proof 

We use the algorithm given in [2UJ to construct a breadth first search spanning tree. Note 
that, the algorithm given in [20] satisfies the loop-free property. Therefore, in the remainder we 
suppose there is a constructed spanning tree. 

Theorem 1 (LoopFreeMST) Starting from an arbitrary spanning tree of the network G , LoopFreeMST 

algorithm is a self- stabilizing loop-free algorithm. 

Proof. Let T a spanning tree of network G and v a node of T. If v is in an incoherent state 
then according to Lemma [1] below, the algorithm bootstraps the state of v, otherwise the token 
continues its circulation in the tree until a verification on a node is needed (Lemma [3]). When 
the token is on a node that has candidate edges not in the tree (i.e. whose fundamental cycle is 
not yet checked), according to Corollary [T] the algorithm verifies if an amelioration (see Section 
13.11 for the definition of an amelioration) must be performed using these not tree edges and 
according to Lemma [S] an improvement is performed if an improvement is possible. Moreover, 
the algorithm performs all possible improvements (Lemma [7]) until no improvement is feasable 
(Lemma [DJand Corollary [5]) , i.e. a minimum spanning tree is reached. 

Starting from a spanning tree T of the network, during the execution of the algorithm no 
cycle is created and a spanning tree structure is preserved (see Corollary [3|). Moreover, according 
to Lemma [TT] if T is minimum spanning tree then T is maintained by the algorithm. □ 

Lemma 1 (Bootstrap) A node v in an incoherent state for the cycle improvement module 
eventually verifies the predicate CoherentCycle(u). 

Proof. A node may have six different states in the algorithm: Done, Verify, Improve, end, Err, 
and Propag. The coherence of a node in these different states is defined respectively by pred- 
icates Coherent_Done, Coherent_Verify, CoherentJmprove, Coherent_End, and Coherent_Error. For 
the state Propag, we detect if the propagation is done using Predicate EndPropag(v) to allow 
the execution of Rule Rq to reinitialize the state of the node. According to the algorithm 
description, if a node v is not coherent (i.e. does not respect one of the previous mentioned 
predicates), Predicate CoherentCycle(-u) is not verified since the previous mentioned predicates 
are exclusive because a node can have one state. Thus, v can execute Rule Rp to correct its 
variables to a coherent state satisfying Predicate Coherent_Done(t;). As a consequence Predicate 
CoherentCycle(u) is satisfied too (see Rule Rq). □ 

Lemma 2 // CoherentCycle(v) = true, Succ(t>) = and EndPropag(v) = true then eventually 
a node v is in status Err and satisfies Coherent_Error(i>). 

Proof. We show that if a node v in a fundamental cycle has no successor because of bad 
labels then v changes its status to Err. Predicate Succ(t> ) is in charge to give the successor of 
a node in a fundamental cycle based on the node labels, following Observation [T] below. Thus, 
if Predicate Succ(u) returns no successor this implies that bad labels disturb the computation 
of the successor. Predicate Error(w) is in charge to detect bad labels. We show that a node v 
which is part of a fundamental cycle (i.e. satisfies Predicate CoherentCycle(f )) and detects an 
error or has its successor in status Err changes its status to Err (except the initiator node, i.e. 
DefCyclefOjt, ^ labels). We do not consider the status Done since in this status no node has a 
successor (see Predicate Error('u). 
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Consider any node v (except the initiator node) which satisfies Predicate CoherentCycle(i;). 
To change its status to Err a node must execute Rule Reit and we must consider two cases: 
a node with no successor, or a node with a successor in status Err. In the first case, a node 
v satisfies Predicate Error(v) (see Predicate Error(u)) and v can execute Rule Re^- After the 
execution of Rule Re^i v satisfies Predicate Coherent_Error(v ) since state„ = Err, Succ(v) = 
and DefCycle„ = DefCyclep rec |^j . In the second case, suppose that for a node v we have 
statesuc„ = E rr - According to Predicate Ask_E(u), Error(f) = true and thus v can execute 
Rule RErr to change its status to Err. After the execution of Rule REm v satisfies Predicate 
Coherent_Error(w) since state,; = Err, Ask_E(u) = true and DefCycle^ = DefCyclep re( j^. One 
can show by induction following the same argument that any node part of a fundamental cycle 
with bad labels changes its status to Err (except the initiator node). □ 

Lemma 3 (Token circulation) Starting from a configuration where a spanning tree T is con- 
structed, if a node v has the DFS token and satisfies CoherentCycle(?;) then eventually Predicate 
ContinueDFS(t;) returns true. 

Proof. Predicate ContinueDFS(v) notices when the DFS token must continue its circulation 
in the tree. The DFS token must continue its circulation in four cases: (1) a node in status 
Done has no candidate edge, (2) a node in status Verify with no possible improvement has no 
candidate edge, (3) an improvement was done in the fundamental cycle, or (4) bad labels are 
detected in the fundamental cycle. 

In case 1, for node v, Coherent_Done(i;) = true (otherwise according to Lemma[T]its state is 
reinitialized). In case 2, for node v, Coherent_Verify(f ) = true (otherwise according to Lemma [T] 
its state is reinitialized) and Predicate ImproveF(-y) is used to detect possible improvements (see 
the proof of LemmaU]). For case 1 and 2, if v has no candidate Predicate Candidate(w) = false 
(see Predicate Candidate(i>) and proof of LemmaHJ) and thus Predicate ContinueDFS(t> ) is sat- 
isfied. In case 3, according to Lemma [6] the initiator node v satisfies Predicate Coherent_End(v) 
and Predicate ContinueDFS(u) returns true. Finally in case 4, according to Lemma[2]the succes- 
sor of the initiator node v is in status Err so Predicate Ask_E(f ) = true and Predicate Error(u) 
returns true. Thus, Predicate ContinueDFS(u) returns true. 

Therefore, in all the above cases Predicate ContinueDFS(v) returns true and v can execute 
Rule Rdfs to allow the token circulation. It then changes its status to Done and sets DefCyclefl]^ 
to done to force the verification of all adjacent candidate edges in the next tree traversal by the 
DFS token. □ 

Observation 1 Let T be a tree spanning V and correctly labeled. Let an edge e = {u, v} E 
E,e ^ T, C e its fundamental cycle and x the fundamental cycle root of C e . There is always a 
path P(u, v) in T between u and v, such that P(u, v) can be decomposed in two parts: a sub-path 
P(x,u) C P(u,v) (resp. P(x,v) C P(u,v)) with increasing labels from x to u (resp. x to v). 

Lemma 4 (Cycle verification) Let v be a node of T such that v has the DFS token with at 
least an adjacent edge e = {u, v} 6 E, e T whose fundamental cycle is not already verified by 
the algorithm. Eventually the cycle improvement module verifies if there is an improvement in 

C e . 

Proof. Suppose first that v has the DFS token and v is in a coherent state Done, otherwise 
according to Lemma Q] its state is corrected. Let e = {u, v} be a not tree edge, which is a 
candidate edge for v, i.e., we have Candidate(-u) ^ end. We consider that label„ < labels since 
a candidate edge for node v is an adjacent not tree edge e = {n, v} with label M < labels , see 
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predicate LabCand(v). Since v is in a coherent state Done and Candidate(i;) ^ end, we have 
variable DefCyclefl]^ equal to done, Predicate CoherentCycle(?;) and InitVerify(u) return true, 
whears Predicate Error(i;) returns false. Thus, v can execute Rule Ry. Note that Rule Rdfs can 
not be executed since Predicate ContinueDFS(t>) returns false since Candidate^) ^ end. As a 
consequence v stops the DFS token and becomes the initiator node of cycle C e with u as target 
node (see Rule Ry). 

After the execution of Rule Ry, v is in state Verify and according to predicate Succ(u) v 
selects its father as next node in the cycle (i.e. suc t , = parent^). Note that since v is in coherent 
state Done variable VarCycle^ = (0, Before). Cycle C e is decomposed in two parts (see Lemma 
[T]): (1) from the initiator v to the root x of C e and (2) from x to the target node u. In the 
following we prove by induction on the length of cycle C e that a node a belonging to C e executes 
Rule Ry and eventually is in state Verify. Moreover, variable suc a describes the successor of a 
in C e (i.e. encodes the cycle C e ). 

Case 1: Consider a coherent node a in state Done (see Lemma [T]) which has not the DFS 
token (i.e. Predicate lnit(a) is false). Consider the successor node of C e 's initiator node v. As 
described above, v is in state Verify and suc„ = a. According to Predicate Pred(a), v is the 
predecessor of a in cycle C e since a is the parent of v in the tree. Thus, Predicate Ask_V(a) 
returns true and a could execute Rule Ry. Therefore, a is in state Verify and selects its parent 
as its successor in C e , like v. Moreover, a computes the new heaviest edge from v to a and 
notices that the heaviest edge location is before (i.e. Before) the root of C e (see respectively 
predicates Max_C and Way_C). Using the same scheme, we can show that all nodes on C e 
between v and x (including x) execute Rule Ry and are in state Verify. 

Case 2: Consider a coherent node a in state Done (see Lemma [T]) which has not the DFS 
token (i.e. Predicate lnit(a) is false) and is the successor node of x. As described in case 1, 
x is in state Verify. Since x is the parent of a in the tree, Predicate Pred(a) returns x as 
predecessor of a. Thus, Predicate Ask_V(o) returns true and a can execute Rule Ry. a selects 
as its successor in C e the child with the highest label smaller than target node's u label (see 
predicates MaxLab(a) and Succ(a)). Moreover, a computes the new heaviest edge from v to 
a and if a has a different heaviest edge a notice that the heaviest edge location is after (i.e. 
After) the root of C e otherwise a takes the location of its predecessor (see respectively predicates 
Max_C and Way_C). Using the same scheme, we can show that all nodes on C e between x and 
u (including u) execute Rule Ry and are in state Verify. Note that the target node u selects 
v as its successor in C e (see Predicate Succ(tt)). 

Consider now that v has the DFS token, is in a coherent state Verify and predecessor of v 
is in state Verify (i.e. Ask_V(?;) = true). Note that the predecessor of v is the target node u. 
As described in case 2, target node u knows the weight of the heaviest edge e' in C e (e! € T). 
Thus, v could check if there is an improvement in C e (see Predicate I m prove (v)). □ 

Corollary 1 (Node cycles verification) Let T a spanning tree and v be a node of T such 
that v has the DFS token. Eventually for each adjacent candidate edge e of v, the cycle im- 
provement module verifies if there is an improvement in C e . 

Proof. We prove that while there is no improvement initiated by v, each edge e = {u, v} G 
E, e T is eventually examined by the cycle improvement module. We consider the two cases 
below: (1) there is no improvement initiated by v, or (2) an improvement can be done in C e for 
a candidate edge e. Consider an arbitrary candidate edge e = {u, v} € E, e T. According to 
Lemma HI v eventually verifies if there is an improvement in C e . 

Case 1: If there is no improvement in C e and v has another candidate edge (i.e. predicates 
Candidate(w) and InitVerify(w) return true) then v must check if there is an improvement in the 
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fundamental cycle of the new candidate edge. According to Lemma HI v could execute again 
Rule Rv with a new target and stay in a coherent state Verify. Therefore for each not tree 
adjacent edge e, v eventually verifies if there is an improvement in the fundamental cycle C e . 

Case 2: If an improvement can be done in C e , when the improvement is done, v is in the state 
End. Thus, Predicate ContinueDFS(v) returns true and Rule Rdfs can De executed to continue 
the token circulation in the tree. However, the next time v has the token as described in case 1, 
v eventually checks again the previously examined edges, but v will also check candidate edges 
not previously visited. 

□ 

Definition 4 (Red Rule) If C is a cycle in G = (V, E) with no red edges then color in red 
the maximum weight edge in C . 

Theorem 2 (Tarjan et al. |25| ) Let G be a connected graph. If it is not possible to apply 
Red Rule then the set of not colored edges forms a minimum spanning tree of G. 

Lemma 5 (Improvement) Let an edge e = {u, v} £ E,e ^ T and let C e its fundamental 
cycle. If there exists a possible improvement in C e then the algorithm eventually performs the 
improvement. 

Proof. According to Definition [U there is an improvement in a cycle C if the edge of 
maximum weight in C belongs to the current tree and one can use the Red Rule. Given an edge 
e = {u,v} £ E,e T and C e its fundamental cycle, Lemma 2] states that the initiator node v 
detects if there is an improvement in cycle C e . Assume that an improvement can be performed 
in cycle C e (i.e. predicate Improve(w) = true). As proved in Lemma[U u and v are in a coherent 
state Verify and have a successor, thus we have CoherentCycle(i;) = true, Error(f ) = false and 
Ask_V(i;) = true. Since v is the initiator node of C e , v has the DFS token and could not be 
the root of C e (i.e. DFS_F(t>) = true and C_Ancestor(u ) = false). So v can execute Rule R|, 
to change its state to Improve and to update its estimation of the heaviest edge of C e and the 
heaviest edge location to the values of its predecessor (i.e. the target node u). Two cases have 
to be analyzed: (1) the heaviest edge location is between v and x (i.e. VarCycle[l]t, = Before) 
or (2) between u and x (i.e. VarCyclefl]^ = After). In the two cases, the improvement must be 
propagated from v to x (resp. u to x) until reaching the (first) heaviest edge or the root of C e 
(if the weight of the heaviest edge has been reduced). Indeed, the root of C e must not change 
its parent to a neighbor in C e otherwise it disconnects its subtree from the rest of the tree. 

Case 1: Since VarCycle[l]t, = Before, v takes as new parent its predecessor in the cycle. Let 
a be a node in coherent state Verify between v and x (Note: a exists otherwise suppose a is 
in an incoherent state, according to Lemma Q] a reinitiates its state to Done which induces a 
propagation of state Done in C e , since the nodes are no more coherent with their predecessors, 
and stops the improvement until a new verification of C e is restarted) . If the improvement must 
continue (i.e. Predicate Improve (a) returns true), a is not the root of C e and its predecessor is 
in state Improve (see Predicate AskJ) then a can execute Rule R|. So, a changes its state to 
Improve, updates its variable VarCycle a to the value of its predecessor and takes its predecessor 
as its parent. This propagation continues until reaching a node a which stops the improvement 
(i.e. Improve(a) = false or C_Ancestor(a) = true). 

Case 2: VarCycle[l]t, = After and as in case 1 v executes Rule R| but v changes only its 
state to Improve and updates its variable VarCycle^ to the value of its predecessor. Hence v 
does not change its parent. Consider the target node u, we have Ask_l(u) = true since v is in 
state Improve. So, u executes Rule R|, changes its state to Improve, updates VarCycle u to its 
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successor value and changes its parent to its successor (i.e. parent^ = v). As described in case 
1, the improvement is propagated in the cycle from u to x until a node a is reached which stops 
the improvement (i.e. Improve(a) = false or C_Ancestor(a) = true). 

Overall, if an improvement exists then this improvement is eventually performed. □ 

Lemma 6 If v satisfies CoherentJmprove(-y) and EndPropag(i>) then v eventually changes its 
status to End and the predicate Coherent_End(w) is satisfied. 

Proof. We conduct the proof by induction on the length of the fundamental cycle. A node 
involved in an improvement executes Rule Re to inform its predecessor or successor the end of the 
improvement. An improvement can be propagated by a successor or a predecessor in the cycle. 
We show the lemma considering that the improvement is propagated by the successor of a node, 
but the same idea can be applied by considering predecessor instead of successor. Moreover, we 
assume that labels are correct in the fundamental cycle otherwise it is not necessary to inform 
the end of the improvement since according to Lemma [2] the nodes are in state Err. Let x the 
node which detects the end of the improvement and y the initiator node in a fundamental cycle. 

Consider the node x, such that CoherentJmprove(x) = true and w(x,suc x ) > VarCycle[0] a .. 
Predicate EndJmprove(x) = true since Coherent_lmprove(.x) = true and NdDel(a;) is satisfied 
because Improve(x) = false. Thus, x can execute Rule Re and changes its status to End. 
Therefore, Coherent_End(x) is satisfied since state x = End, NdDel(x) = true and DefCycle x . = 
DefCyclep aren t because x and its parent are in the same fundamental cycle. Now, sup- 
pose by induction hypothesis that any node u between x and the initiator node y are in 
state End and Coherent_End(u) is satisfied. Consider the initiator node y, state,, = Improve, 
CoherentJmprove(y) = true and statesuq, = End. Predicate EndJmprove(y) is satisfied because 
Predicate Ask_EI(y) = true since statesuc^ = End and DefCycle^ = DefCycle SUCy . Thus, y can 
execute Rule Re and changes its status to End. Therefore, Predicate Coherent_End(y) is satisfied 
since state,, = End, Ask_EI(y) = true and DefCycle. y = DefCyclep aren t because y and its parent 
are in the same fundamental cycle. □ 

Lemma 7 (MST construction) Given a spanning tree T, the cycle improvement module per- 
forms an improvement ifT is not a minimum spanning tree of G. 

Proof. According to the token circulation algorithm [23], eventually each node in the tree 
is visited and holds the token. Consider a node v in the tree T, which has the DFS token. 
According to Corollary [1] eventually each adjacent candidate edge of v is examined by the cycle 
improvement module. Thus, if an improvement is possible this one is detected according to 
Lemma H] and performed by v according to Lemma [5j Therefore, if an improvement is possible 
the cycle improvement module performs it. □ 

Lemma 8 Let T be an existing minimum spanning tree of G. The algorithm performs no 
improvement. 

Proof. Let T be an existing minimum spanning tree of G and v be a node in T which has 
the DFS token. Let e = {u, v}, e^Tan adjacent candidate edge of v and C e its corresponding 
fundamental cycle. Suppose the cycle improvement module performs an improvement in C e . 
We prove by contradiction that no improvement could performed by the algorithm. 

Let w(C e ) the maximum edge weight in C e , excluding edge e. According to Definition 01 
to initiate an improvement from v the following condition must be verified: w(C e ) > w(e). 
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According to Lemma 01 the predecessor u of v holds the maximum edge weight in C e (i.e. 
VarCycle[0] u = w{C e )). To perform an improvement, Predicate Improve(u) must return true to 
allow v to execute Rule R|. This implies that max(VarCycle[0]„, VarCycle[0] u ) > w(u,v) (see 
Predicate I m prove (v)), i.e. w(C e ) > w(u,v) (since VarCycle[0] u = w(C e )) which contradicts the 
fact that no improvement can be performed in C e . Therefore, v can not execute Rule R| if no 
improvement is possible in a fundamental cycle. □ 

Corollary 2 (MST conservation) Let T be an existing minimum spanning tree of G. The 
algorithm maintains a spanning tree. 

Proof. Lemma [8] shows that no improvement is performed by the algorithm if T is a minimum 
spanning tree of G, i.e. Rule R| can not be executed by a node. Therefore, according to Lemma 
[8] and by Remark Q] a spanning tree is maintained. □ 

Lemma 9 (Convergence) Starting from an illegitimate configuration eventually the algo- 
rithm reaches in a finite time a legitimate configuration. 

Proof. If the initial configuration contains no spanning tree, there is a node v such that 
Predicate CoherentTree(f ) = false and according to the level composition (defined in [15| ) we 
use the algorithm given in [2UJ to construct a breadth first search spanning tree. Otherwise, the 
initial configuration contains a spanning tree which is not a minimum spanning tree. According 
to Lemma [7] and El improvements are performed by the cycle improvement module until a min- 
imum spanning tree is reached. Moreover, according to Lemma flOl a spanning tree is preserved 
by the cycle improvement module. Finally, there is at most m — n + 1 fundamental cycles in any 
graph so a finite number of improvements can be performed by the cycle improvement module. 
Thus, in a finite time the algorithm returns a minimum spanning tree. □ 

Remark 1 According to the cycle improvement module description, only Rule R\ could change 
the parent of a node. 

Lemma 10 Let T be an existing tree spanning V , no move performed by the cycle improvement 
module disconnects T . 

Proof. There is two cases in which the existing tree T spanning V is disconnected. It is 
necessary (1) to delete an edge of T by changing the parent of a node (except the root of T) 
to itself or (2) to attribute as new parent of a node a neighbor belonging to its descendant in 
the tree. Consider the execution of Rule R| (see Remark [T]). Rule R| can be executed by a node 
if this one is in state Verify and is a coherent node (see predicate Coherent_Verify in Rule R|). 
As described in the proof of Lemma HI a coherent node in state Verify has a predecessor and a 
successor in a fundamental cycle, note that the initiator has a predecessor because it must wait 
that this one (i.e. the target node) is in state Verify to execute Rule R| (see predicate Ask_V). 

Case (1) is not permitted by the algorithm. The new parent of a node is its predecessor 
or successor in the fundamental cycle (see Rule R|). Thus the algorithm selects as new parent 
another node different of the node itself. 

Case (2) is not permitted by the algorithm, since the new parent of a node executing Rule 
R| is its predecessor or successor in the fundamental cycle and the edge between the node and 
its new parent is not already in the tree (see predicate Improve). In other words, the algorithm 
adds and deletes two adjacent edges in the fundamental cycle, which gives after each move a 
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new spanning tree. Moreover, the algorithm can not change the parent of a fundamental cycle 
root (see predicate C_Ancestor in guard of Rule R|), in particular the root of the tree, otherwise 
the subtree of the fundamental cycle root could be disconnected from the rest of the tree. Thus, 
the new parent is an ancestor or another node with the same ancestor in the tree. 

Therefore, after each move performed by the algorithm a spanning tree is preserved. □ 

Corollary 3 (Loop-free property) Let T be an existing tree spanning V , after any move 
performed by the cycle improvement module Cycle(T,u,v) = false,Vu,v € V. 

Proof. In a configuration where a spanning tree T is constructed, we have Cycle(T, u, v) = 
false,\/u, v € V otherwise it contradicts the fact that T is a spanning tree. Moreover, according 
to Case (2) in the proof of Lemma [10] any move of the cycle improvement module preserves a 
spanning tree structure. Thus, for any move Cycle(T,u,v) = false,\/u,v £ V. □ 

Lemma 11 (Closure) Starting from a legitimate configuration the algorithm preserves a le- 
gitimate configuration. 

Proof. Let T be an existing tree spanning V, such that T is a minimum spanning tree of 
G. Thus, \/v € V, CoherentTree(u) = true. According to the level composition (defined in |15|). 
since on a node v the predicate CoherentTree(u) determines if the tree must be reconstructed, 
the only modules executed are the token circulation with labeling module given respectively in 
[22 0] and the cycle improvement module. The conditional composition (defined in [3]) between 
the token circulation with labeling module and the cycle improvement module, using Predicate 
ContinueDFS(i>) on a node v determines which module has to be executed. According to Lemma 
[31 for any node v € V eventually Predicate ContinueDFS(i>) = true and the DFS token continue 
its circulation. Otherwise, only the cycle improvement module is executed. According to Lemma 
[8] and Corollary [21 a minimum spanning tree of G is preserved by the cycle improvement module 
and therefore by the algorithm composed of the different modules. □ 

Complexity 

Lemma 12 Starting from a configuration where an arbitrary spanning tree is constructed, in 
at most 0(mn) rounds the cycle improvement module produces a minimum spanning tree of G, 
with respectively m and n the number of edges and nodes of the network G. 

Proof. In a given network G = (V,E), if a spanning tree of G is constructed then there 
are exactly m — (n — 1) fundamental cycles in G since there are n — 1 edges in any spanning 
tree of G. Thus, a tree edge can be contained in at most m — n + 1 fundamental cycles. 
Consider a configuration where a spanning tree T of G is constructed and a tree edge eo is 
contained inm-n + 1 fundamental cycles and all tree edges have a weight equal to 1, except 
eo of weight w(eo) > 1. Suppose that T is not a minimum spanning tree of G such that 
Vej G E, i = 1, . . . , m — n + 1, io(ej_i) > w{ei) with eo £ T and Vi = 1, . . . , m — n + 1, e,, T 
and w{e.j) > 1 (see the graph of Figure 0(a)). Consider the following sequence of improvements: 
Vi,i = 1, ... ,ra — ri + 1, exchange the tree edge ej_i by the not tree edge (see a sequence 
of improvements in Figure [8]). In this sequence, we have exactly m — n + 1 improvements and 
this is the maximum number of improvements to obtain a minimum spanning tree since there 
are m — n + 1 fundamental cycles and for each one we apply the Red rule (see Definition [5] 
and Theorem EJ). An improvement can be initiated in the cycle improvement module by a node 
with the DFS token. The DFS token performs a tree traversal in O(n) rounds. Moreover, each 
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Figure 8: (a) a spanning tree with plain lines in a graph with m — n + 1 improvements, (b) 
the spanning tree obtained after the first improvement, (c) the spanning tree obtained after 
the second improvement, (d) the minimum spanning tree of the graph obtained after the third 
improvement. 

improvement needs to cross a cycle a constant number of times and each cross requires 0(n) 
rounds. Since at most m — n + 1 improvements are needed to obtain a minimum spanning tree, 
at most 0{mn) rounds are needed to construct a minimum spanning tree. □ 

Lemma 13 Starting from a legitimate configuration, after a weight edge modification the system 
reaches a legitimate configuration in at most 0{mn) rounds. 

Proof. After a weight edge change the system is no more in a legitimate configuration in the 
following cases: (1) the weight of a not tree edge is less than the weight of the heaviest tree 
edge in its fundamental cycle, or (2) the weight of a tree edge is greater than the weight of a 
not tree edge in one of the fundamental cycles including the tree edges. 

In each case above, the algorithm must verify if improvements must be performed to reach 
again a legitimate configuration, otherwise the system is still in a legitimate configuration. 
Thus, in case (1) it is only sufficient to verify if an improvement must be performed in the 
fundamental cycle associated to the not tree edge (i.e. to apply the Red rule a single time). 
To this end, its fundamental cycle must be crossed at most three times: the first time to verify 
if an improvement is possible, a second time to perform the improvement and a last time to 
end the improvement, each one needs at most 0{n) rounds. According to Lemma and the 
improvement is performed by the algorithm which leads to a legitimate configuration. Case (2) 
is more complicated, indeed the weight of a tree edge can change which leads to a configuration 
where at most m — n + 1 improvements must be performed to reach a legitimate configuration, 
since a tree edge can be contained in at most m — n + 1 fundamental cycles as described in proof 
of Lemma [T2l Since each improvement phase needs O(n) rounds (see case (1)) at most 0{mn) 
rounds are needed to reach a legitimate configuration. 

The complexity of case (2) dominates the complexity of the first case. Therefore, after a 
weight edge change at most 0(mn) rounds are needed to reach a legitimate configuration. □ 
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